11-27-2017 05:41 AM - edited 03-08-2019 12:53 PM
Hello all,
so my company needed to change a router and replace it with an 880 cisco router.
the architecture is very easy, Two interfaces: one for LAN and the other for the WAN.
i had to create a VLAN for the FE0 interface, cause I couldn't turn it on due to some L2 compability or smth like that. Never the less, I connected the interfaces and the internet worked. the issue is that with the old router I had a 60mb/s for bandwith, and with the cisco i got only 6Mb/s !!! whcih is a big loss of performance.
well the config i copied it from: https://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html
and it's like this:
VPN#show run Building configuration... Current configuration : 2170 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN ! boot-start-marker boot-end-marker ! ! !--- Enable authentication, authorization and accounting (AAA) !--- for user authentication and group authorization. aaa new-model ! !--- In order to enable Xauth for user authentication, !--- enable the aaa authentication commands. aaa authentication login userauthen local !--- In order to enable group authorization, enable !--- the aaa authorization commands. aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ! !--- For local authentication of the IPsec user, !--- create the user with a password. username user password 0 cisco ! ! ! !--- Create an Internet Security Association and !--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations. crypto isakmp policy 3 encr 3des authentication pre-share group 2 !--- Create a group that is used to specify the !--- WINS and DNS server addresses to the VPN Client, !--- along with the pre-shared key for authentication. Use ACL 101 used for !--- the Split tunneling in the VPN Clinet end. crypto isakmp client configuration group vpnclient key cisco123 dns 10.10.10.10 wins 10.10.10.20 domain cisco.com pool ippool acl 101 ! !--- Create the Phase 2 Policy for actual data encryption. crypto ipsec transform-set myset esp-3des esp-md5-hmac ! !--- Create a dynamic map and apply !--- the transform set that was created earlier. crypto dynamic-map dynmap 10 set transform-set myset reverse-route ! !--- Create the actual crypto map, !--- and apply the AAA lists that were created earlier. crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! ! interface FE0 switchport mode access
switch port access VLAN 100 half-duplex !--- Apply the crypto map on the outbound interface. interface FE4 ip address 172.16.1.1 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map clientmap !
interface Vlan 100 ip address 10.10.10.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto
!--- Create a pool of addresses to be !--- assigned to the VPN Clients.
! ip local pool ippool 192.168.1.1 192.168.1.2
ip http server
no ip http secure-server
! ip route 0.0.0.0 0.0.0.0 172.16.1.2
!--- Enables Network Address Translation (NAT) !--- of the inside source address that matches access list 111 !--- and gets PATed with the FastEthernet IP address.
ip nat inside source list 111 interface FastEthernet 4 overload !
!--- The access list is used to specify which traffic !--- is to be translated for the outside Internet.
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 111 permit ip any any
!--- Configure the interesting traffic to be encrypted from the VPN Client !--- to the central site router (access list 101). !--- Apply this ACL in the ISAKMP configuration.
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 control-plane ! line con 0 line aux 0 line vty 0 4 ! end
If anyone could help I'll be grateful.
Thanks for your time
Solved! Go to Solution.
11-27-2017 05:50 AM
11-27-2017 06:23 AM
11-27-2017 05:50 AM
11-27-2017 06:28 AM
Thanks a lot! I guess you're correct . All int are in full duplex but still 6Mb/s bandwith.
I guess the 880 don t support higher trafic
11-27-2017 05:51 AM
Hi there,
Do you actually need all the crypto config, or did you copy that verbatim?
Certainly try the following:
! interface FE0 duplex auto !
cheers,
Seb.
11-27-2017 06:31 AM
Not that much of crypto I guess. And i don't think it will cause that much of loss in bandwith neither.
I setted the int on full, but I think my router isn t convinient.
Thanks a loot
11-27-2017 06:23 AM
11-27-2017 06:32 AM
Thank You a lot. Now i see why
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide